b'OFFICE OF INSPECTOR GENERAL\n\n             Audit Report\n  Fiscal Year 2007 Financial Statement Audit\n            Letter to Management\n\n\n              Report No. 08-01\n               March 6, 2008\n\n\n\n\n RAILROAD RETIREMENT BOARD\n\x0c                        UNITED STATES RAILROAD RETIREMENT BOARD\n\n                                      OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                                                                 March 6, 2008\n\n\nMichael S. Schwartz\nChairman\nU.S. Railroad Retirement Board\n\n\nThe purpose of this letter is to transmit a memorandum on internal control\ncommunicating certain matters concerning internal control that came to our\nattention during our recent audit of the Railroad Retirement Board\xe2\x80\x99s (RRB)\nfinancial statements.\n\nWe have audited the RRB\xe2\x80\x99s general purpose financial statements and issued our\nreport thereon dated November 2, 2007, except for matters relating to the fair\nmarket value of the net assets of the National Railroad Retirement Investment\nTrust as of September 30, 2007, as to which the date was November 15, 2007.\nWe performed our audit in accordance with U.S. generally accepted government\nauditing standards and OMB audit guidance as applicable to the scope of our\naudit. 1 We have not considered internal control since we obtained sufficient\nappropriate audit evidence to support the audit opinion on November 2, 2007;\ninternal control was not among those matters to which we gave consideration\nbetween November 2nd and November 15th.\n\nDuring our audit, we noted certain matters involving the RRB\xe2\x80\x99s internal control\nstructure and its operation that, individually, did not rise to the level of a\nsignificant deficiency, the details of which are presented in the attached\nmemorandum. That memorandum also presents the full text of those matters\npreviously reported as material weaknesses and significant deficiencies in\nconjunction with our opinion on the financial statements. However, neither this\nletter, nor the attached memorandum, modifies our report dual dated as of\nNovember 2, 2007 and November 15, 2007, referred to above.\n\nOur observations concerning internal control were presented to responsible\nagency management who were offered the opportunity to review and comment\non the draft memorandum. Their responses are also attached.\n\nIn planning and performing this audit, we considered internal control in order to\ndetermine our auditing procedures for the purpose of issuing our report on the\nRRB\xe2\x80\x99s principal financial statements and not to provide assurance on internal\ncontrol. The maintenance of adequate internal control designed to fulfill the\n\n1\n    See our report on the RRB\xe2\x80\x99s financial statement for a full description of the scope and methodology.\n\x0c                                                                              Page 2\n\n\nRRB\'s control objectives is the responsibility of management. Because of\ninherent limitations in any system of internal control, errors or irregularities may\nnevertheless occur and not be detected. Also, controls found to be functioning at\na point in time may later be found deficient because of the performance of those\nresponsible for applying them. There can be no assurance that controls currently\nin existence will prove to be adequate in the future as changes take place in the\norganization.\n\nOur work was not conducted for the primary purpose of making detailed\nrecommendations about the RRB\'s system of internal control. Had we done so,\nother matters might have come to our attention that we would have reported to\nyou.\n\nWe wish to express our appreciation for the many courtesies and cooperation\nextended to us during the audit.\n\n\n                                                 Very truly yours,\n\n\n\n                                             ~)~\n                                                 Martin J. Dickman\n                                                 Inspector General\n\n\nAttachments\n\ncc:\t V.M. Speakman, Jr., Labor Member\n     Jerome F. Kever, Management Member\n     Kenneth P. Boehne, Chief Financial Officer\n     John M. Walter, Chair, Management Control Review Committee\n     Henry M. Valiulis, Director of Administration/Senior Executive Officer\n     Steven A. Bartholow, General Counsel\n     Frank J. Buzzi, Chief Actuary\n     Beatrice E. Ezerski, Secretary to the Board\n\x0cLetter to Management                                                              Page 1\n                           Memorandum on Internal Control\n                                 Table of Contents\n\nMATERIAL WEAKNESSES AND SIGNIFICANT DEFICIENCIES\n\n  Material Weaknesses\n\n       Information Security                                                  3\n\n       Social Insurance Fund Balance                                         3\n\n  Significant Deficiencies\n\n       Financial Reporting                                                   4\n\nOTHER MATTERS INVOLVING INTERNAL CONTROL\n\n       Implementation of the Modified Cash Basis of Accounting               6\n\n       Interim Financial Statements Report Outdated Information              7\n       about the National Railroad Retirement Investment Trust\n\n       Incorrect Beginning Balances for the Statement of Budgetary           8\n       Resources and the Statement of Changes in Net Position\n\n       Documentation to Evidence Compliance with GAAP                        9\n\n       Controls Needed to Ensure Timely Recording                            9\n\n       Controls Over Financial Reporting                                     10\n\n       Discrepancies in Manual Intragovernmental Confirmations               11\n\n       Preparation and Approval of Journal Vouchers                          12\n\n               Financial Interchange Advances                                12\n\n               Transfers from the Department of Labor                        12\n\n               Reimbursement from the Social Security Administration         13\n\n               Inaccurate Supporting Schedule                                13\n\n       Quality Assurance Process for Voucher Preparation                     13\n\n       Executing and Recording Transactions                                  15\n\n       Documentation for Legal Representation Process                        15\n\n       Internal Controls over Payroll Activities                             16\n\n       Controls Over the Actuarial Projection Process and Social Insurance   18\n       Reporting\n\x0cLetter to Management                                                         Page 2\n                       Memorandum on Internal Control\n                             Table of Contents\nATTACHMENTS\n\n   1. Bureau of the Actuary                                             20\n\n   2. Bureau of Fiscal Operations\xe2\x80\x99 Accounting, Treasury and Financial   21\n      Systems Division\n\n   3. Office of General Counsel                                         25\n\n   4. Management Control Review Committee                               26\n\n   5. Executive Committee                                               27\n\x0cLetter to Management                                                                    Page 3\n                           Memorandum on Internal Control\n\nMATERIAL WEAKNESSES AND SIGNIFICANT DEFICIENCIES\n\nIn conjunction with our opinion on the RRB\xe2\x80\x99s financial statements for the fiscal\nyears ended September 30, 2007 and 2006, we reported the following material\nweaknesses and significant deficiencies.\n\nMaterial Weaknesses\n\nInformation Security\n\nDuring fiscal year (FY) 2007, the Office of Inspector General (OIG) evaluated\ninformation security pursuant to the provisions of the Federal Information Security\nManagement Act. 2 Our review disclosed continued weaknesses in many areas of\nthe RRB\xe2\x80\x99s information security program. Significant deficiencies in program\nmanagement and access controls make the agency\xe2\x80\x99s information security program\na source of material weakness in internal control.\n\nRRB efforts to strengthen information security continue and progress is being\nmade; however, previously identified significant deficiencies in access controls,\nrisk assessments, and periodic testing and evaluation continue to exist. In\naddition, the agency\xe2\x80\x99s information security program is not yet fully compliant with\ncurrent requirements for risk based policies and procedures, a certification and\naccreditation program, a comprehensive remedial action process, continuity of\noperations planning, and inventory of systems.\n\nAgency management is working to address the weaknesses in its information\nsecurity program. Although some progress has been made, much work remains\nto be completed.\n\nSocial Insurance Fund Balance\n\nThe RRB does not have a consistent theory under which it computes the\nRailroad Retirement program\xe2\x80\x99s fund balance for social insurance reporting.\n\nThe actuarial assumptions and methods used to measure amounts in the\nstatement of social insurance for financial accounting and disclosure purposes\nshould represent the agency\xe2\x80\x99s best estimates. The program fund balance at the\nbeginning of the period is important because it impacts estimated future tax rates\non which estimates of future income are based. In addition, the availability of the\nfund balance to offset any long term estimated actuarial liability created by a\nshortfall of income over expense is important to understanding the financial\ncondition of the Railroad Retirement program.\n\n\n2\n \xe2\x80\x9cFiscal Year 2007 Evaluation of Information Security at the Railroad Retirement Board,\xe2\x80\x9d OIG\nReport #07-08, September 27, 2007\n\x0cLetter to Management                                                          Page 4\n                        Memorandum on Internal Control\n\nDuring our audit, we observed that the RRB had used different methods to\ncompute its social insurance fund balance as of January 1, 2006, compared with\nJanuary 1, 2007, including some amounts previously excluded and excluding\nother amounts that had been previously included. The impact of the social\ninsurance fund balance on actuarial projections of income and expense for the\nRailroad Retirement program is described in Note 15 to the RRB\xe2\x80\x99s FY 2007\nfinancial statements.\n\nThe RRB\xe2\x80\x99s actuarial projections also include estimates of future tax rates.\nInquiries of management disclosed that neither the 2006 nor the 2007 fund\nbalance had been computed on the same basis used to compute tax rates under\nthe account benefit ratio method for which purpose the agency includes the net\nassets of the NRRIT as computed under generally accepted accounting\nprinciples (GAAP) for private investment companies, the same method used to\nreport on NRRIT-held assets in the RRB\xe2\x80\x99s balance sheet.\n\nInconsistencies in fund balance methodology undermine management\xe2\x80\x99s\nassertion of best estimate and make comparative presentation less meaningful.\n\nRecommendation\n\nWe recommend that the Bureau of the Actuary:\n\n    1. work with the Bureau of Fiscal Operations to develop a consistent theory\n       for computing and reporting the Railroad Retirement program\xe2\x80\x99s fund\n       balances.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of the Actuary concurred with the recommendation. The full text of\nmanagement\xe2\x80\x99s response is presented as Attachment 1 to this memorandum.\n\n\nSignificant Deficiencies\n\nFinancial Reporting\n\nOver the years agency responsibility for financial reporting has grown from\npreparation of financial statements within six months of fiscal year-end, to\npublication of an annual performance and accountability report within 45 days of\nfiscal year-end. Publication of that report is an exercise in public accountability\nof which preparation of accurate, reliable financial statements is but a single part.\n\x0cLetter to Management                                                          Page 5\n                        Memorandum on Internal Control\n\nThe Bureau of Fiscal Operations (BFO) is responsible for preparing agency\nfinancial statements and publishing the RRB\xe2\x80\x99s annual performance and\naccountability report. During our FY 2006 audit, we observed that existing\nprocedures and controls over its financial reporting process needed to be\nupdated to fully ensure the quality of the RRB\xe2\x80\x99s response to the expanding\nresponsibilities and short timeframes inherent to the Federal financial reporting\nprocess. We also observed that the existing control framework was overly reliant\non the OIG\xe2\x80\x99s annual audit of the financial statements to ensure the completeness\nand accuracy of the performance and accountability report.\n\nDuring FY 2007, we found the agency\xe2\x80\x99s reporting process much improved by the\nefforts of BFO management and staff. BFO responded to the OIG\xe2\x80\x99s prior year\nfinding by implementing OIG-recommended corrective actions and by\nimplementing an enhanced year-end financial statement review process of their\nown design.\n\nAlthough the process has been strengthened, the corrective action has not yet\nbeen in operation for a full fiscal year. Accordingly, the OIG continues to cite\nfinancial reporting as an area of significant deficiency in internal control pending\na full year of experience demonstrating the effectiveness of controls over time.\n\x0cLetter to Management                                                         Page 6\n                       Memorandum on Internal Control\n\nReaders should note that the errors found in the July 2007 version of the\nPerformance and Accountability Report (P&AR) were corrected prior to the final\npublication of the report. The errors that were uncorrected at September 30,\n2007, were provided to agency management on a Summary of Unadjusted\nMisstatements.\n\nImplementation of the Modified Cash Basis of Accounting\n\nDuring our audit, we questioned two reported year-end balances citing\nunrecorded accruals for carrier refunds of about $7.7 million which had been\nreported to the agency by the Internal Revenue Service.\n\nBFO stated that their treatment was consistent with the modified cash basis of\naccounting for tax revenue per Statement of Federal Financial Accounting\nStandard (SFFAS) #7. During our discussions, auditors noted that past\ndecisions which resulted in current procedure were not fully documented and had\nbeen developed by managers who were no longer on staff. As a result, BFO was\nnot able to fully support their application of the modified cash basis of accounting\nand the decision to exclude the accrual.\n\nRecommendation\n\nWe recommend that BFO:\n\n    2. review the applicable standard and make specific documented\n       determinations concerning how the modified cash basis of accounting\n       impacts the accounting and reporting of tax revenue.\n\nManagement\xe2\x80\x99s Response\n\nBFO has agreed to review the applicable standard and present in BFO\xe2\x80\x99s\nAccounting Procedures Guide how the modified cash basis of accounting\nimpacts the accounting reporting of tax revenue.\n\nThe full text of management\xe2\x80\x99s response is presented as Attachment 2 to this\nmemorandum.\n\x0cLetter to Management                                                                     Page 7\n                           Memorandum on Internal Control\n\nInterim Financial Statements Report Outdated Information about the\nNational Railroad Retirement Investment Trust (NRRIT)\n\nThe RRB does not receive timely information about the value of assets held and\ninvested by the NRRIT to support quarterly financial reporting.\n\nThe NRRIT is not a Federal agency. 3 As a result, the RRB must rely on the\nNRRIT to provide monthly information which allows the RRB to calculate the\nchange in the NRRIT\'s net asset value. This monthly information is provided\npursuant to a memorandum of understanding between the RRB, NRRIT, Office\nof Management and Budget (OMB) and the Department of the Treasury that\npermits the NRRIT to report its balances on a one month delay. For example, for\nthe period ended June 30, 2007, the RRB reported NRRIT net assets as valued\non May 31, 2007, which resulted in an overstatement of the RRB\xe2\x80\x99s assets of\nabout $200,000,000.\n\nIn a letter dated October 30, 2007, the Department of the Treasury expressed\nconcerns regarding timely and consistent reporting of NRRIT balances for interim\nperiods and asked the RRB to place more emphasis on eliminating the one\nmonth delay.\n\nRecommendations\n\nWe recommend that BFO:\n\n    3. work with the NRRIT to obtain reports of NRRIT net assets within\n       timeframes that will support the RRB\xe2\x80\x99s interim financial reporting\n       responsibilities;\n    4. include footnote disclosure of the use of any out-of-date information; and\n    5. advise recipients of interim financial reports prepared with out-of-date\n       information of the correct amount when it becomes available and the\n       related discrepancy.\n\n\n\n\n3\n Under provisions of the Railroad Retirement Survivors\xe2\x80\x99 Improvement Act (RRSIA), the NRRIT is\nnot a department, agency, or instrumentality of the Government of the United States and shall not\nbe subject to Title 31, United States Code.\n\x0cLetter to Management                                                        Page 8\n                       Memorandum on Internal Control\n\nManagement\xe2\x80\x99s Response\n\nIn regard to recommendation 3, the Chief Financial Officer contacted the NRRIT\nregarding elimination of a month from the current reporting cycle and reports that\nthe NRRIT responded that they do not see how they can eliminate a month from\nthe current cycle of financial reporting.\n\nWith respect to recommendation 4, BFO responded that they have already\nincluded a footnote disclosure to the balance sheet for the first quarter of FY\n2008. In regard to recommendation 5, BFO responded that they have e-mailed\nthe correct NRRIT balance to recipients of the balance sheet for the first quarter\nof FY 2008.\n\nThe full text of management\xe2\x80\x99s response is presented as Attachment 2 to this\nmemorandum.\n\n\nIncorrect Beginning Balances for the Statement of Budgetary Resources\nand the Statement of Changes in Net Position\n\nDuring our audit, we identified errors in the opening balances of three budgetary\ngeneral ledger accounts as of June 30th. In addition, the statement of net\nposition, as of June 30th, incorrectly reported the agency\xe2\x80\x99s beginning FY 2006\ncumulative results of operation. In each case, the questioned balances did not\nagree with the audited balances reported as of the end of the prior period.\n\nOMB Circular A-136 states that beginning balances for the current year should\nbe in agreement with ending balances from the prior year.\n\nRecommendation\n\nWe recommend that BFO:\n\n    6. review its existing procedures and identify means to better ensure the\n       accuracy of opening balances, including timely identification, to ensure\n       the accuracy of interim reporting.\n\nManagement\xe2\x80\x99s Response\n\nBFO has agreed to review existing procedures and formalize them in a section of\nBFO\xe2\x80\x99s Accounting Procedures Guide. The full text of management\xe2\x80\x99s response is\npresented as Attachment 2 to this memorandum.\n\x0cLetter to Management                                                       Page 9\n                       Memorandum on Internal Control\n\nDocumentation to Evidence Compliance with GAAP\n\nDuring our audit, we observed that BFO had not retained the recommended\ndocumentation to evidence agency compliance with U.S. Generally Accepted\nAccounting Principles (GAAP).\n\nThe Government Accountability Office (GAO) has developed checklists to\nsupport such compliance assessments and has recommended their use for\nentities that prepare Federal financial statements. These checklists which\nprovide a basis for assessing compliance with Federal accounting, reporting and\ndisclosure requirements, can also serve as a tool to identify deficiencies in the\nform and content of agency statements.\n\nBFO personnel have advised auditors that they had reviewed, but not formally\ncompleted, the GAO Checklist.\n\nRecommendation\n\nWe recommend that BFO:\n\n    7. complete the GAO checklist each year to evidence compliance with\n       GAAP or develop an equivalent control.\n\nManagement\xe2\x80\x99s Response\n\nBFO has agreed to \xe2\x80\x9crevise the APG to formally complete the GAO Checklist.\xe2\x80\x9d\nThe full text of management\xe2\x80\x99s response is presented as Attachment 2 to this\nmemorandum.\n\n\nControls Needed to Ensure Timely Recording\n\nImprovement is needed for the internal controls over the receipt of supporting\ndocumentation required for voucher preparation. During our audit we observed\nthat Railroad Unemployment Insurance Act (RUIA) benefit payments totaling\nalmost $1 million were not recorded in March 2007, the month in which they were\ndisbursed. The benefit payments were recorded in the next accounting period,\nApril 2007, when the documentation was received from the Office of Programs.\n\nBFO records benefit payment activity in the general ledger upon the advice of the\nOffice of Programs which orders the payments. In this case, BFO did not receive\nthe necessary documentation from the Office of Programs and was not alerted to\nthe disbursement. As a control to prevent such errors, BFO performs a\nreconciliation of confirmations from the disbursement system to the general\nledger. However, that control was not effective and did not detect the delay in\nrecording the benefit payment disbursement.\n\x0cLetter to Management                                                        Page 10\n                       Memorandum on Internal Control\n\n\nRecommendation\n\nWe recommend that BFO:\n\n    8. determine the reason the existing control was ineffective and take\n       additional action to strengthen controls over this process.\n\nManagement\xe2\x80\x99s Response\n\nBFO has agreed to take additional action to strengthen controls over this\nprocess. The full text of management\xe2\x80\x99s response is presented as Attachment 2\nto this memorandum.\n\n\nControls Over Financial Reporting\n\nDuring FY 2007, BFO acted on prior audit recommendations to strengthen\ncontrols over the financial reporting process. However, we continue to note\nsome errors.\n\n   \xe2\x80\xa2   The schedule of entries eliminating interfund transactions in consolidation\n       lacked sufficient detail with respect to the affected funds. (September 30th)\n\n   \xe2\x80\xa2   The reconciliation of the net cost of operations to the budget contained a\n       balance which could not be supported. The supporting schedule also\n       presented a total for several lines that did not agree to the mathematical\n       sum of those lines. (June 30th)\n\n   \xe2\x80\xa2   The Earmarked Funds Note was incorrect because an eliminating entry\n       was omitted. (June 30th)\n\nRecommendation\n\nWe recommend that BFO:\n\n    9. determine the cause of the errors identified during our audit, whether\n       existing controls were in operation, and whether additional controls may\n       be required to ensure that the financial statements, notes, and supporting\n       schedules are properly designed and operating as intended throughout\n       the year.\n\x0cLetter to Management                                                       Page 11\n                       Memorandum on Internal Control\n\n\nManagement\xe2\x80\x99s Response\n\nBFO has agreed to add additional guidance on these matters in the BFO\nAccounting Procedures Guide. The full text of management\xe2\x80\x99s response is\npresented as Attachment 2 to this memorandum.\n\n\nDiscrepancies in Manual Intragovernmental Confirmations\n\nThe RRB uses electronic mail transmissions to confirm intragovernmental\nbalances with selected Federal trading partners. During the reconciliation\nprocess that supported financial reporting at June 30, 2007, BFO asked four\ntrading partners to confirm incorrect account balances because errors were\nmade in preparing the electronic messages.\n\nAlthough none of the differences were material, errors in the communications\nthat initiate the confirmation process create a risk of further errors in the\naccounting processes that rely on such confirmations.\n\nRecommendation\n\nWe recommend that BFO:\n\n    10. strengthen the existing review process to ensure the accuracy of\n        confirmations sent to Federal trading partners.\n\nManagement\xe2\x80\x99s Response\n\nBFO responded that they have recently modified the BFO Accounting\nProcedures Guide Section 9 on RRB Intragovernmental Policies and Procedures\nand will fully implement them for the next quarterly processing.\n\nThe full text of management\xe2\x80\x99s response is presented as Attachment 2 to this\nmemorandum.\n\x0cLetter to Management                                                         Page 12\n                       Memorandum on Internal Control\n\nPreparation and Approval of Journal Vouchers\n\nDuring FY 2007 BFO implemented new procedures in response to prior audit\nrecommendations to strengthen controls over preparation of the paper vouchers\nand related support that document general ledger accounting. However, we\ncontinue to note some errors as described below.\n\nFinancial Interchange Advances\n\n   \xe2\x80\xa2   BFO personnel prepared ten vouchers, including the preparer\xe2\x80\x99s signature,\n       from the period November 2006 through August 2007 to record Treasury\n       advances of approximately $2.7 billion prior to completion of the transfer.\n       Although not recorded in the general ledger until the advance was\n       received, the vouchers should not have been signed by a preparer until\n       the transfers took place because evidence of transfer is required to\n       support the transaction.\n   \xe2\x80\xa2   Seven of the ten vouchers were approved by a reviewer prior to the\n       transfer. The vouchers should not have been approved because available\n       documentation was inadequate to support the voucher.\n   \xe2\x80\xa2   In preparing the above vouchers, BFO staff dated the voucher with the\n       anticipated date of the transfer. As a result, the voucher date is after the\n       preparation and, in seven cases, after the approval date.\n   \xe2\x80\xa2   We also found one voucher with a computer-generated signature for the\n       preparer for which initials were not provided.\n   \xe2\x80\xa2   Eleven vouchers were not supported by RRB internal memoranda\n       authorizing investment of the funds on receipt.\n\nTransfers from the Department of Labor\n\nPeriodically, funds from the Department of Labor are transferred back to the RRB\nas needed to pay benefits.\n\nWe identified seven vouchers that did not include signed letters authorizing the\ncash transfers. Six vouchers were supported only by unsigned letters; one\nvoucher did not include a letter.\n\nTwo of the seven incidents described above occurred in July 2007, after new\nBFO procedures had been implemented.\n\x0cLetter to Management                                                       Page 13\n                       Memorandum on Internal Control\n\nReimbursement from the Social Security Administration\n\nThe Office of Programs prepares a memorandum requesting a transfer of funds\nfrom the Social Security Administration to fund the social security portion of the\nrecurring monthly check issue. The memorandum is sent to BFO and it is used\nto initiate the request for the transfer of funds and to record the transaction.\n\nDuring our audit, we identified two of the 12 monthly vouchers that were\nsupported by memoranda that did not include the signatures of the \xe2\x80\x9cAuthorizing\nCertifying Officer\xe2\x80\x9d and \xe2\x80\x9cReviewer\xe2\x80\x9d in the Office of Programs. We did not see any\nevidence that these memoranda had been questioned by BFO.\n\nInaccurate Supporting Schedule\n\nDuring our audit, we identified a voucher used to record disbursement of RUIA\nbenefit payments that was supported by incorrect information. Although the\nvoucher was accurate as to amount, the supporting schedule was incorrect as to\npayment control numbers which link the recorded payments to documentation\nprovided by the Office of Programs, where payment originates.\n\nRecommendation\n\nWe recommend that BFO:\n\n    11. instruct staff on the proper documentation needed to support transactions\n        prior to the preparation of a voucher, the need to evidence proper voucher\n        preparation even when automated signatures are used, and the need for\n        accurate and consistent documentation to support journal vouchers.\n\nManagement\xe2\x80\x99s Response\n\nBFO plans to continue to instruct staff on the proper documentation for vouchers\nand will enhance BFO\xe2\x80\x99s Accounting Procedures Guide section on the preparation\nof vouchers.\n\nThe full text of management\xe2\x80\x99s response is presented as Attachment 2 to this\nmemorandum.\n\n\nQuality Assurance Process for Voucher Preparation\n\nDuring FY 2007, in response to prior OIG recommendations for improved\ncontrols over the voucher preparation process, BFO developed a quality\nassurance process. Our review of the documentation for this process indicates\nthat this new process could be more effective.\n\x0cLetter to Management                                                       Page 14\n                       Memorandum on Internal Control\n\nAs presently designed, the quality assurance process relies on very small sample\nsizes (five vouchers a month) and does not provide for random selection (the\nsame vouchers could be reviewed each month). In addition, the sample\nevaluation criteria may not flag errors for corrective action. For example, current\nprocedure provides that if two exceptions are found, the voucher is considered\nacceptable; a voucher will only be identified as incomplete if three or more errors\nare found for that voucher. Existing procedures do not provide for an action plan\nthat responds to errors once identified.\n\nWe also observed that quality assurance reviewers may be hampered by the lack\nof guidance concerning management\xe2\x80\x99s expectations concerning voucher\ndocumentation. The current process could be strengthened by examples of\nproperly prepared vouchers as a reference for quality assurance reviewers and\nresponsible staff.\n\nRecommendations\n\nWe recommend that BFO:\n\n    12. refine the quality assurance process to increase the sample size, allow for\n        a wider selection of vouchers to be reviewed, and to redefine the number\n        of acceptable errors;\n    13. support the quality assurance process by documenting examples of a\n        properly completed voucher, including required documentation for each\n        recurring voucher; and\n\n    14. develop a specific procedure for how the results of the quality assurance\n        evaluation will be used to improve performance.\n\nManagement\xe2\x80\x99s Response\n\nIn regard to recommendation 12 and 13, BFO has agreed to refine the quality\nassurance process and document examples of a properly completed voucher in\nBFO\xe2\x80\x99s Accounting Procedures Guide. With respect to recommendation 14, BFO\nhas agreed to document in BFO\xe2\x80\x99s Accounting Procedures Guide a specific\nprocedure for how results of the quality assurance evaluations will be used to\nimprove performance.\n\nThe full text of management\xe2\x80\x99s response is presented as Attachment 2 to this\nmemorandum.\n\x0cLetter to Management                                                                Page 15\n                          Memorandum on Internal Control\n\nExecuting and Recording Transactions\n\nDuring our audit, we observed that the individual responsible for executing\ntransfers from the Treasury system is also responsible for recording the\ntransaction in the general ledger. This practice does not provide for adequate\nseparation of duties.\n\nBFO documents the redemption of investments with memoranda prepared by the\nresponsible staff accountant. Each memorandum is prepared for the Accounting\nOfficer\xe2\x80\x99s signature and addressed to the BFO accountant responsible for\nexecuting the transaction. The accountant to which the memorandum is\naddressed not only executes the redemption transaction in the Treasury system,\nbut also prepares the voucher to record the transaction in the general ledger.\nKey duties and responsibilities need to be divided or segregated among different\npeople to reduce the risk of error or fraud. 4\n\nRecommendation\n\nWe recommend that BFO:\n\n    15. review the procedures for redemption of investments to ensure proper\n        segregation of duties.\n\nManagement\xe2\x80\x99s Response\n\nBFO has agreed to review the procedures for possible additional segregation of\nduties. The full text of management\xe2\x80\x99s response is presented as Attachment 2 to\nthis memorandum.\n\n\nDocumentation for Legal Representation Process\n\nDuring our audit, we observed that the Office of General Counsel had not fully\ndocumented procedures and activities supporting the legal representations that\nthey provided to auditors during the financial statement audit.\n\nInternal control and all transactions and other significant events need to be\nclearly documented, and the documentation should be readily available for\nexamination. 5\n\n\n\n4\n \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD-00-21.3.1 (11/99) page\n14\n5\n \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD-00-21.3.1 (11/99), page\n15\n\x0cLetter to Management                                                       Page 16\n                       Memorandum on Internal Control\n\nRecommendation\n\nWe recommend that the Office of General Counsel:\n\n    16. develop an internal control process for legal representations that complies\n        with applicable GAO internal control standards.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of General Counsel concurs with the recommendation. The full text of\nmanagement\xe2\x80\x99s response is presented as Attachment 3 to this memorandum.\n\n\nInternal Controls over Payroll Activities\n\nThe RRB needs to improve its controls over time and attendance data to require\nthe periodic reconciliation of data, proper separation of duties, and that the\nRRB\xe2\x80\x99s payroll responsibilities be clearly defined.\n\nThe GSA provides payroll processing service to the RRB. The RRB maintains\nsalary information which is the basis for hourly pay rates and inputs bi-weekly\ntime and attendance data. GSA computes the agency\xe2\x80\x99s payroll from this data\nand makes disbursement from the RRB\xe2\x80\x99s cash accounts at the U.S. Treasury.\nThe RRB records payroll expense based on GSA\xe2\x80\x99s report of bi-weekly payroll\nactivity.\n\nThe GSA payroll system is a distributed data processing system. RRB\nemployees enter time and attendance information from locations throughout the\nagency. Data is entered by the time and attendance clerk and must be approved\nby a second employee, termed the certifier.\n\nDuring our audit we observed that current agency procedure does not include\nperiodic reconciliation with the GSA system or analysis to identify processing\nerrors. In addition, we observed a lack of separation of duties which permits\nsome individuals to certify their own payroll information.\n\nWe are also concerned that the RRB may not have clearly defined the agency\xe2\x80\x99s\npayroll responsibilities, including control functions that remain at the RRB. While\nGSA has primary responsibility for the accuracy of payroll processing,\nresponsibility for certain control activities remain the responsibility of the RRB.\n\x0cLetter to Management                                                        Page 17\n                       Memorandum on Internal Control\n\nPursuant to the requirements of Statement on Auditing Standards (SAS) No. 70,\nService Organizations, GSA provided the RRB with a copy of\nPriceWaterHouseCoopers\xe2\x80\x99 Report on GSA National Payroll Center (NPC),\nPayroll Accounting and Reporting (PAR) System Controls which states that \xe2\x80\x9c[t]he\nNPC\xe2\x80\x99s applications and payroll process were designed with the assumption that\ncertain controls would be implemented by customer organizations.\xe2\x80\x9d A list of\nthose control responsibilities is presented below.\n\n   \xe2\x80\xa2   access to GSA\xe2\x80\x99s PAR system is restricted to authorized users;\n\n   \xe2\x80\xa2   authorized users in customer organizations behave in an appropriate\n       manner based on applicable security guidelines and recommendations;\n   \xe2\x80\xa2   personnel transactions are properly authorized within the user\n       organization, and are input completely and accurately or sent to GSA for\n       processing in a timely manner;\n   \xe2\x80\xa2   time and attendance data is properly authorized within the user\n       organization, and is input completely and accurately in a timely manner;\n   \xe2\x80\xa2   output reports are reviewed by appropriate individuals for completeness\n       and accuracy; and\n   \xe2\x80\xa2   output received from the NPC is routinely reconciled to relevant user\n       organization control totals.\n\nThe Management Control Review Committee provides oversight to the control\nassessment process that supports the RRB\xe2\x80\x99s reporting under the Federal\nManager\xe2\x80\x99s Financial Integrity Act (FMFIA). The most recent management\ncontrol review of payroll processing was in 1999, more than five years before the\nRRB began using the GSA system.\n\nRecommendations\n\nWe recommend that BFO:\n\n    17. perform quarterly reconciliations of cumulative general ledger totals with\n        the GSA system to coincide with financial reporting cut-off dates;\n    18. analyze GSA reports to identify trends that could identify processing\n        errors; and\n    19. review and update procedures and controls for recording time and\n        attendance.\n\x0cLetter to Management                                                          Page 18\n                        Memorandum on Internal Control\n\nWe recommend that the Management Control Review Committee:\n\n    20. work with BFO to update the risk assessment, chart of controls and\n        flowcharts to clearly identify the RRB\xe2\x80\x99s payroll responsibilities and to\n        identify new controls, such as periodic reconciliations and the proper\n        separation of duties.\n\nWe recommend that the RRB\'s Executive Committee:\n\n    21. implement an agencywide policy prohibiting employees from certifying\n        their own time and attendance or develop a compensating control.\n\nManagement\xe2\x80\x99s Response\n\nIn regard to recommendation 17, BFO responded that they have performed the\nfirst reconciliation on the first quarter FY 2008 totals. With respect to\nrecommendation 18, BFO responded that they have prepared trend data on a\nbiweekly basis. In regard to recommendation 19, BFO has agreed to review and\nupdate the Payroll User Guide which provides guidance for time and attendance.\nThe full text of BFO\xe2\x80\x99s response is presented as Attachment 2 to this\nmemorandum.\nWith respect to recommendation 20, the Management Control Review\nCommittee has agreed to work with BFO to update documentation of payroll\ncontrols. The full text of the Management Control Review Committee\xe2\x80\x99s response\nis presented as Attachment 4 to this memorandum.\n\nIn regard to recommendation 21, the Executive Committee has agreed to\ndevelop a compensating control to monitor time and attendance certification\nactivity. The full text of the Management Control Review Committee\xe2\x80\x99s response\nis presented as Attachment 5 to this memorandum.\n\n\nControls Over the Actuarial Projection Process and Social Insurance\nReporting\n\nThe RRB\xe2\x80\x99s Bureau of the Actuary is responsible for preparing the statement of\nsocial insurance. During our audit, we identified several areas in which controls\nover the actuarial projection process and social insurance reporting could be\nimproved.\n\nDuring our audit we observed that the Bureau of the Actuary\xe2\x80\x99s quality assurance\nprocess is limited to a high-level review of the final work product prior to release.\nAn effective quality assurance process should also include a detailed post-\nrelease review of the documentation and work product for conformance with\nestablished internal and external standards by a professional who did not\nparticipate in its preparation.\n\x0cLetter to Management                                                        Page 19\n                       Memorandum on Internal Control\n\n\nWe noted that the sign-off sheet which is retained as evidence that planned\ncontrol procedures were performed does not reference the related requirements\nin the applicable procedure manual and that it does not capture the date that the\nprocedure was performed. In addition, we noted that the procedure manual did\nnot reflect several recent updates to bureau procedure.\n\nRecommendations\n\nWe recommend that the Bureau of the Actuary:\n\n    22. develop additional quality assurance procedures;\n    23. reference the sign-off sheet to the procedure manual to ensure that the\n        sign-off process is complete with respect to required procedures;\n    24. require that the internal control sign-off sheet include the date procedures\n        are performed; and\n    25. update the procedure manual to ensure that it reflects current approved\n        practice.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of the Actuary concurred with the recommendations. With respect to\nrecommendation 24, the Bureau of the Actuary has agreed to include the last\ndate on the sign-off sheet for procedures performed on multiple dates.\n\nThe full text of management\xe2\x80\x99s response is presented as Attachment 1 to this\nmemorandum.\n\x0c                                            ATTACHMENT 1                                Page 20\n\n\n               UNITED STATES GOVERNMENT                                                 FORM 0\xc2\xb71161 (1-12)\n\n                                                                    RAILROAD RETIREMENT BOARD\n               MEMORANDUM\n\n\n                                                                   February 13, 2008\n\n\n\n\nTO:         Letty Benjamin Jay\n            Assistant Inspector General for Audit\n\nFROM:       Frank J. Buzzi    ;t-..A!.,/ ~~\n            Chief Actuary\n\nSUBJECT: Draft Letter to Management\n         FY 2007 Financial Statement Audit\n\n\nThank you for the opportunity to review and comment on the subject draft letter to\nmanagement.\n\nWe concur with recommendations 1,22,23,24, and 25. With respect to\nrecommendation 24, we will include the last date on the sign-off sheet for procedures\nperfonned on multiple dates.\n\nOur target completion date for these recommendations is July 31, 2008.\n\n\ncc: Chief Financial Officer\n\x0c                                         ATTACHMENT 2\t                            Page 21\n\n\n                  UNITED STATES GOVERNMENT\t                                           FORM G\xc2\xb71I6f [1\xc2\xb782]\n                                                                     RAILROAD RETIREMENT BOARD\n                 MEMORANDUM\n\n                                                                     FEB 21 ZOtl\nTO        ..   Letty B. Jay\n               Assistant Inspector General for Audit\n\n\nFROM      :    John M. Walter    j4...~. ~   {f/\n               Chief of Accounting, Treasury and Financial Systems\n               THROUGH: Kenneth P. Boehne             - # J J --" ~ /\n                             Chief Financial Officer ~ A"~\n\n\nSUBJECT: Letter to Management - Fiscal Year 2007 Financial Statement Audit\n\n\n\nThank you for giving us the opportunity to comment on your draft Letter to Management.\nWe appreciate that you recognize the financial reporting process has expanded\nresponsibilities and shorter time frames. The process has expanded from preparation\nof financial statements within 6 months of the fiscal year-end, to publication of an annual\nPerformance and Accountability Report within 45 days of the fiscal year-end. We have\nreviewed the above draft memorandum dated February 6, 2008, and our comments on\nrecommendations are as follows:\n\nRecommendations:\n\nWe recommend that BFO:\n\n     2.\t review the applicable standard and make specific documented\n\n         determinations concerning how the modified cash basis of accounting\n\n         impacts the accounting and reporting of tax revenue.\n\n\n        We will review the applicable standard and present in BFO\'s Accounting\n        Procedures Guide (APG) how the modified cash basis of accounting impacts\n        the accounting and reporting of tax revenue. Target date: June 2008.\n\n\n     3.\t work with the NRRIT to obtain reports of NRRIT net assets within\n\n         timeframes that will support the RRB\'s interim financial reporting\n\n         responsibilities;\n\n\n         On October 31,2007, the Chief Financial Officer contacted the NRRIT\n         regarding elimination of a month from the current reporting cycle. NRRIT\'s\n         Senior Administrative Officer responded as follows: "Regarding the\n         1st paragraph on the second page concerning the lag in reporting data to the\n\x0c                                                                             Page 22\n                                       - 2\xc2\xad\n                                                                             Attachment 2\n\n\n     RRB, to be candid, we do not see how we can eliminate a month from the\n     current cycle of reporting financial information as required in the MoU. If we\n     remove a month from the reporting cycle, the data would be due the\n     2nd business day after a month end. It is not possible at this time (nor in the\n     foreseeable future) to get final valuations of the NRRIT portfolio (data gathered\n     and MoU reports completed) 2 days after the close of the month. The reality is\n     that account valuations for all of the different types of investments are not\n     finalized until 6-8 business days after the month end. We would not want to try\n     to produce MoU reports based on preliminary data."\n\n\n4.   include footnote disclosure of the use of any out-of-date information;\n\n     We implemented this recommendation by, beginning with the first quarter of\n     fiscal year 2008, adding a footnote to the balance sheet.\n\n\n5.   advise recipients of interim financial reports prepared with out-of-date\n     information of the correct amount when it becomes available and the\n     related discrepancy.\n\n     We implemented this recommendation by, beginning with the first quarter of\n     fiscal year 2008, emailing the NRRIT balance to recipients of the balance\n     sheet.\n\n\n6.   review its existing procedures and identify means to better ensure the\n     accuracy of opening balances including timely identification to ensure\n     the accuracy of interim reporting.\n\n     We will review existing procedures and formalize them in a section of BFO\'s\n     APG. Target date: June 30, 2008.\n\n\n7.   complete the GAO checklist each year to evidence compliance with\n     GAAP or develop an equivalent control.\n\n     We currently use Section 2 (pages 2-17 and 2-18) of BFO\'s APG and reference\n     the GAO Checklist to evidence compliance with GMP. We will revise the APG to\n     formally complete the GAO Ghecklist. Target date: December 1, 2008.\n\n\n8.   determine the reason the existing control was ineffective and take\n     additional action to strengthen controls over this process.\n\n     We will take additional action to strengthen controls over this process. Target\n     date: June 30, 2008.\n\x0c                                                                      Page 23\n\n                                    -3\xc2\xad                               Attachment 2\n\n\n9.\t determine the cause of the errors identified during our audit, whether\n    existing controls were in operation, and whether additional controls may\n    be required to ensure that the financial statements, notes, and supporting\n    schedules are properly designed and operating as intended throughout\n    the year.\n\n   BFO\'s APG will have additional guidance added on these matters. Target\n   date: June 30, 2008.\n\n\n10.\t strengthen the existing review process to ensure the accuracy of\n     confirmations sent to Federal trading partners.\n\n   We have recently modified BFO\'s APG Section 9 on RRB Intragovernmental\n   Policies and Procedures and will fully implement them for the next quarterly\n   processing. Target date: June 30, 2008.\n\n\n11.\t instruct staff on the proper documentation needed to support\n      transactions prior to the preparation of the voucher, the need to evidence\n     proper voucher preparation even when automated signatures are used,\n     and the need for accurate and consistent documentation used to support\n     journal vouchers.\n\n   We will continue to instruct staff on the proper documentation for vouchers and\n   will enhance BFO\'s APG section on the preparation of vouchers. Target date:\n   June 30, 2008.\n\n\n12.\t refine the quality assurance process to increase the sample size, allow\n     for a wider selection of vouchers to be reviewed, and to redefine the\n     number of acceptable errors;\n\n   We will refine the quality assurance process. Target date: June 30, 2008.\n\n\n13.\t support the quality assurance process by documenting examples of a\n     properly completed voucher, including required documentation for each\n     recurring voucher;\n\n   We will document examples of a properly completed voucher in BFO\'s APG.\n   Target date: June 30, 2008.\n\x0c                                                                           Page\t 24\n                                         -4\xc2\xad\n                                                                           Attachment 2\n\n\n    14.\t develop a specific procedure for how the results of the qucdityassurance\n         evaluation will be used to improve performance.\n\n        We will document in BFO\'s APG a specific procedure for how results of the\n        quality assurance evaluations will be used to improve performance. Target\n        date: June 30, 2008.\n\n\n    15.\t review procedures for redemption of investments to ensure proper\n         segregation of duties.\n\n        The current responsibilities of authorizing, processing, and recording\n        investments involve at least two individuals. However, we will review the\n        procedures for possible additional segregation of duties. Target date:\n        June 30, 2008.\n\n\n    17. perform quarterly reconciliations of cumulative general ledger totals with\n        the GSA system to coincide with financial reporting cut-off dates;\n\n        This recommendation was implemented when the first quarterly reconciliation\n        was performed on the 1st quarter fiscal year 2008 totals.\n\n\n    18. analyze GSA reports to identify trends that could identify processing\n        errors; and\n\n        We implemented this recommendation by preparing trend data on a biweekly\n        basis.\n\n\n    19.\t review and update procedures and controls for recording time and\n         attendance.\n\n        We will review and update the Payroll User Guide which provides guidance for\n        time and attendance. Target date: August 30, 2008.\n\n\n\ncc:\t Ed Fleming, Accounting Officer\n     Rich Lannin, Senior Accountant\n     Liz Stubits, Accountant\n     Edie Natividad, Accountant\n     Dave Miller, Finance Officer\n     Kris Garmager, Financial Systems Manager\n     Hattie Fitzgerald, Financial Compliance Officer\n     Bill Flynn, Executive Assistant\n     Jill Roellig, Management Analyst\n\x0c                                    ATTACHMENT 3\t              Page 25\n\n\n\n                                                                     FORM 0-115\' 11-82)\n             UNITED STATES GOVERNMENT\n                                                      RAILROAD RETIREMENT BOARD\n             MEMORAND\'UM\n                                                          FEB 112008\n\n\nTO\t          Letty Benjamin Jay\n\n             Assistant Inspector General for Audit\n\n\n\nFROM\t        Steven A. Bart~~~o~.\n                            / .             ~...\n\n             General coun~ t1(r~\n\n\n\nSUBJECT\t     Draft Letter to Management\n\n             FY 2007 Financial Statement Audit\n\n\n\nThis is in response to your memorandum on the above subject dated\nFebruary 6, 2008. I have reviewed the Draft Letter to Management,\nincluding recommendation 16 concerning documentation for the legal\nrepresentation process. I concur with recommendation 16.\n\x0c                                          ATTACHMENT 4                             Page 26\n                 UNITED STATES GOVERNMENT                                              FORM G-l15f 11\xc2\xb7821\n\n                 MEMORANDUM                                           RAILROAD RETIREMENT BOARD\n\n\n\n                                                                           FEB 26 2008\n\nTO         :   Letty B. Jay\n               Assistant Inspector General for Audit\n\n\nFROM       :   John M. Walter, Chair      f\t 14.~*\n               Management Control Review Committee\n\n\nSUBJECT: Draft Letter to Management - FY 2007 Financial Statement Audit\n\n\n\nThank you for the opportunity to review and comment on the above draft report dated\nFebruary 6,2008. Our comment on the recommendation is as follows:\n\n        Recommendation 20: We recommend that the Management Control Review\n        Committee work with BFO to update the risk assessment, chart of controls and\n        flowcharts to clearly identify the RRB\'s payroll responsibilities and to identify\n        new controls, such as periodic reconciliations and the proper separation of duties.\n\n        MCRC Comment: The MCRC and staff will work with the Bureau of Fiscal\n        Operations to update documentation of payroll controls by the end of August\n        2008.\n\nWe have no comments on the other recommendations in this draft report. If you have\nany questions concerning our comments, please advise.\n\n\ncc:\t   Kenneth P. Boehne, Chief Financial Officer\n       David Miller, Finance Officer\n       Hattie Fitzgerald, Financial Compliance Officer\n       Management Control Review Committee\n       Jill Roellig, Management Analyst\n       Bill Flynn, Executive Assistant\n\x0c                                        ATTACHMENT 5                           Page 27\n                                                                                 FORM 0.1151 (1\xc2\xb792)\n                UNITED STATES GOVERNMENT\n                                                                RAILROAD RETIREMENT BOARD\n                MEMORANDUM\n                                                                   February 13,2008\n\n\n\nTO           Letty Benjamin Jay\n             Assistant Inspector General for Audit\n\n\nFROM                  .Va~       /     e~\n            Qit:eer9t"Of~ia~~r Executive Officer\nSUBJECT:\t Draft   er to Management\n          FY 2007 Financial Statement Audit\n\n\nThis is in response to your draft "Letter to Management" which was prepared in\nconjunction with the Railroad Retirement Board\'s FY 2007 financial statements audit. In\nthe letter you had asked for a statement of concurrence or non-concurrence with the\nfinding and recommendation directed to the Executive Committee.\n\n      #21. We recommend that the RRB \'s Executive Committee implement an\n      agencywide policy prohibiting employees from certifying their own time and\n      attendance or develop a compensating control.\n\nThe Executive Committee considered your recommendation and agreed to develop a\ncompensating control to monitor time and attendance certification activity. The control\nwill be implemented by each organization by May 31, 2008, or sooner.\n\nThank you for the opportunity to respond to the draft recommendation.\n\ncc: Executive Committee\n\x0c'